How to target audits – should the focus be on comprehensiveness or the risks?

How the National Audit Office of Finland (NAOF) targets its audits and selects the audit topics is an interesting question. We cannot audit everything although it sometimes seems that the need exists. The duties of the NAOF are governed by legislation, but the limited resources force us to make choices.

When selecting the audit topics, we have to weigh two options: we can aim at auditing everything as comprehensively as possible, or we can focus on areas where audits can have a high impact on the development of operations or where the operations are assessed to involve a particularly high number of risks. The brand-new risk analysis of the National Audit Office presents the NAOF’s risk weightings related to the state’s financial management and central government finances.

Legislation provides a framework for the targeting of audits

The operations of the National Audit Office, as well as all other government agencies, are governed by legislation. In fact, this applies to all use of state funds. All government operations are governed by general acts and special acts related to government agencies. In addition to them, the legislation includes the annual state budget, which determines the allocation of the funds.

The task of the National Audit Office is to audit the legality and appropriateness of the state’s financial management and compliance with the budget. Audits must therefore be targeted at financial management, that is to say directly at the use of funds, instead of just any activities of public authorities. However, auditing the financial management does not mean auditing only the accounts. The audits must also examine whether funds have been used appropriately, i.e. efficiently and effectively.

Assessment of risk areas

One way of targeting audits is to strive to identify the areas exposed to particularly many or particularly significant risks. To support the selection of audit topics, the NAOF occasionally conducts a more extensive risk analysis, where it examines various risks and risk areas related to the state’s financial management and central government finances. A risk does not refer only to potential realization of unwanted circumstances but also to non-realization of desired circumstances.

In the risk analysis, the risks to the state’s financial management cover financial processes and operations control processes. The risks to central government finances, in turn, are related to the financial situation of central government and the entire public sector. They are risks that can cause problems to the future development of the state’s revenue and expenditure. This could either make it more difficult to generate revenue or increase expenditure in such a manner that the state’s revenue would not cover the state’s expenditure in the long term.

Risk areas of the state’s financial management: automation, outsourcing, and performance management

Automation of financial management always aims at increasing the efficiency of operations and usually also at reducing errors in financial processes. However, the experiences gathered have not always been good. The financial benefits achieved have not met the expectations. Old processes may have been automated only ostensibly, for example. From the perspective of auditing, automation may also have weakened the opportunities to perform control, and it may be impossible to verify the new processes on the same level as before.

Central government has a long history of outsourcing functions. Outsourcing has sometimes meant the establishment of unincorporated enterprises and new companies, to which functions have been transferred. As the central government has become smaller, purchases of services from private actors have increased through procurement. From the audit perspective, the key question in outsourcing is whether it succeeds in increasing the efficiency of operations and in bringing savings. In some cases, there is also the risk that the business form of the outsourced function does not correspond to the actual operations.

Performance management differs from automation and outsourcing as a risk area. Performance management is a basic steering instrument in the state’s financial management. It aims at management by objectives and reporting on the results. In recent years, however, performance management has been left increasingly in the background, and activities related to it have become partly routine without any actual steering. The risk to the state’s financial management is that the performance management system no longer works as intended.

Risk areas of central government finances: taxation, competence, and decision-making capability

Taxation is highlighted as a risk area in all of the change factors which are set out by the Prime Minister’s Office and on which the NAOF’s risk analysis is based. The risks are related to the pressures to change the taxation and, in particular, to the future breadth of the tax base. The demographic trend in Finland is unfavourable, and the technological development and globalization complicate the taxation of labour. Globalization also intensifies tax competition. Taxation can become an increasingly important steering instrument in environmental issues, for example, but taxes with an actual steering effect cannot be considered fiscally sustainable in the longer term.

In view of the demographic trend, competence and competence development have a special role, as it is mainly improved productivity that can bring additional revenue to the central government. The key issue is investing efficiently on building future competence. This covers basic education, upper secondary education, science and research, as well as product development. Further education and retraining also seem to have an increasingly important role in this. Central government plays several roles in competence development. Through funding, it also participates in education organized by municipalities and development activities carried out by companies.

Decision-making capability as a risk area identified by the NAOF includes mainly the preparation and implementation of decision-making, and the quality of the knowledge base. Auditing or assessing the actual policy-making is not part of the NAOF’s duties. Many visions of the future, such as the demographic changes, globalization, technological development, and cyber security, are seen as threats. However, technological development may also improve the knowledge base of decision-making. Failing to seize opportunities is also a risk.

The audit plan is put together like a jigsaw puzzle

It is laid down in the Act on the National Audit Office that audits shall be based on an audit plan. In its audit plan, the National Audit Office presents the audits that are ongoing or that will be launched in the near future. When selecting audits to the audit plan, the NAOF always strives to find a balance between comprehensiveness and making selections. Despite making risk-based selections, the NAOF must also ensure the legality of the state’s financial management and compliance with the budget comprehensively on a certain level. For this reason, financial audits, in particular, aim at auditing an adequate number of actors and their use of funds. It is often laborious to assess the appropriateness of financial management, and, in practice, performance audit resembles research. Selections made in this sense concern more clearly individual audit topics. In any case, audit aims at forming a balanced whole where both of these aspects are considered.

To read a summary of the risk analysis, click on the link below. In my future blog posts, I will go more deeply into the risk areas I have presented here in brief.